ngs-doo/dsl-json

Dependency org.postgresql:postgresql, leading to CVE problem

CVEDetect opened this issue · 1 comments

CVEDetect commented

Hi, In processor,there is a dependency **org.postgresql:postgresql:42.2.5.jre6
** that calls the risk method.

CVE-2022-26520

The scope of this CVE affected version is [42.1.0,42.3.3)

After further analysis, in this project, the main Api called is org.postgresql.Driver: connect(java.lang.String,java.util.Properties)Ljava.sql.Connection;

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 6

com.dslplatform.json.AnnotationCompiler: buildExternalJson(java.lang.String,com.dslplatform.json.AnnotationCompiler$CompileOptions,com.dslplatform.json.processor.LogLevel,javax.annotation.processing.Messager)Ljava.lang.String; /.m2/repository/org/postgresql/postgresql/42.2.5.jre6/postgresql-42.2.5.jre6.jar
com.dslplatform.compiler.client.Main: processContext(com.dslplatform.compiler.client.Context,java.util.List)Z /.m2/repository/org/postgresql/postgresql/42.2.5.jre6/postgresql-42.2.5.jre6.jar
com.dslplatform.compiler.client.parameters.OracleConnection: check(com.dslplatform.compiler.client.Context)Z /.m2/repository/org/postgresql/postgresql/42.2.5.jre6/postgresql-42.2.5.jre6.jar
com.dslplatform.compiler.client.parameters.OracleConnection: testConnection(com.dslplatform.compiler.client.Context)Z /.m2/repository/org/postgresql/postgresql/42.2.5.jre6/postgresql-42.2.5.jre6.jar
com.dslplatform.compiler.client.parameters.OracleConnection: getConnection(com.dslplatform.compiler.client.Context,java.lang.String)Ljava.sql.Connection; /.m2/repository/org/postgresql/postgresql/42.2.5.jre6/postgresql-42.2.5.jre6.jar
org.postgresql.Driver: connect(java.lang.String,java.util.Properties)Ljava.sql.Connection;

Dependency tree--

[INFO] com.dslplatform:dsl-json-processor:jar:1.10.0
[INFO] +- com.dslplatform:dsl-clc:jar:1.9.10:compile
[INFO] |  +- org.postgresql:postgresql:jar:42.2.5.jre6:compile
[INFO] |  \- org.fusesource.jansi:jansi:jar:1.17.1:compile
[INFO] +- com.dslplatform:dsl-json:jar:1.10.0:compile
[INFO] +- com.dslplatform:dsl-json-java8:jar:1.10.0:test
[INFO] +- junit:junit:jar:4.13.2:test
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] +- org.assertj:assertj-core:jar:3.10.0:test
[INFO] +- com.fasterxml.jackson.core:jackson-annotations:jar:2.6.3:test
[INFO] +- com.google.code.findbugs:jsr305:jar:2.0.1:test
[INFO] +- com.google.code.gson:gson:jar:2.5:test
[INFO] \- javax.validation:validation-api:jar:2.0.1.Final:test

Suggested solutions:

Update dependency version

Thank you very much.

zapov commented

This wasnt relevant before and now this project does not exist anymore